On 12/2/2011 3:56 AM, Jean-Pierre Fortune wrote:
> Thank you. But I still have the problem.
>
> 2011/12/1 Douglas E. Engert<[email protected]>:
>>
>>
>> On 12/1/2011 8:04 AM, Jean-Pierre Fortune wrote:
>>> Hello,
>>>
>>> I am currently trying to sign a file with an iasecc compliant
>>> smartcard and openssl but I can find out how to specify the private
>>> key to use.
>>>
>>> The private key I want to select "belongs" to the ECC Generic ID
>>> application.
>>>
>>> When signing with pkcs15-crypt tool, I execute the following command
>>> and it works well:
>>>
>>> pkcs15-crypt --aid E828BD080FD25047656E65726963 -k $my_key_id--sign
>>> --pkcs1 --sha-1 --input data-1.sha1 --pin $my_pin --output
>>> data-1.auth.sig
>>>
>>> When using openssl, I use the following command:
>>>
>>> openssl
>>> OpenSSL> engine -t dynamic -pre
>>> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
>>> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
>>> (dynamic) Dynamic engine loading support
>>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
>>> Loaded: (pkcs11) pkcs11 engine
>>> [ available ]
>>> OpenSSL> smime -nodetach -binary -outform PEM -sign -signer $my_cert
>>> pem -inkey $my_key_id -keyform engine -in data-1.txt -out test.p7m
>>> -engine pkcs11
>>> engine "pkcs11" set.
>>> Invalid slot number: 0
>>> PKCS11_get_private_key returned NULL
>>> cannot load signing key file from engine
>>> 3611:error:26096080:engine routines:ENGINE_load_private_key:failed
>>> loading private key:eng_pkey.c:126:
>>> unable to load signing key file
>>> error in smime
>>> OpenSSL>
>>>
>>> The problem is that I couldn't find how to specify $my_key_id in the
>>> latter case.
>>
>> See:
>>
>> http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
>>
>> The slot_X-id_Y or id_Y are used as parameters to PKCS#11.
>> You can find out what they are on your card using
>>
>> pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L -O
>
> When I do this, I get a list related to the application, "ECC eID".
> The card contains another application "
And does it list anything other then this?
>
> I use pkcs15-tool for examining the card, there are no key and no
> certificates in "ECC eID" but 2 certs and 2 keys in "ECC Generic PKI":
>
> pkcs15-tool --list-applications
> Using reader with a card: Teo by Xiring 00 00
> Application 'ECC eID':
> AID: E828BD080FD2504543432D654944
>
> Application 'ECC Generic PKI':
> AID: E828BD080FD25047656E65726963
>
> pkcs15-tool --list-certificates
> Using reader with a card: Teo by Xiring 00 00
>
> pkcs15-tool --list-certificates --aid E828BD080FD25047656E65726963
> Using reader with a card: Teo by Xiring 00 00
> X.509 Certificate [Signature Certificate]
> Object Flags : [0x2], modifiable
> Authority : no
> Path : e828bd080fd25047656e65726963::b001
> ID : 5369676E6174757265204365727469666963617465
> GUID : {5369676E61747-5726-5204-365727469666}
> Access Rules : read:<always>; update:c1; delete:c1;
> Encoded serial : 02 02 113E
>
> X.509 Certificate [Authentification Certificate]
> Object Flags : [0x2], modifiable
> Authority : no
> Path : e828bd080fd25047656e65726963::b002
> ID :
> 41757468656E74696669636174696F6E204365727469666963617465
> GUID : {41757468-656E-7469-6669-636174696F6E}
> Access Rules : read:<always>; update:c1; delete:c1;
> Encoded serial : 02 02 113F
>
> What I am looking for is how to specify an equivalent to "--aid
> E828BD080FD25047656E65726963" when using the card from openssl and
> engine_pkcs11.
AFAIK with PKCS#11 there is no attribute to set the application.
It looks like ./pkcs11/framework-pkcs15.c always calls
sc_pkcs15_bind with aid = NULL.
But have you tired in your script setting $my_key_id to
id_41757468656E74696669636174696F6E204365727469666963617465
>
> Best regards,
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
